Internal Controls in Fraud Prevention Procurement · Elements of Internal Control t Monitoring...
Transcript of Internal Controls in Fraud Prevention Procurement · Elements of Internal Control t Monitoring...
Internal Controls in Fraud Prevention
Procurement
Sripriya Kumar
Overview
• Internal Controls
• Fraud
• Procurement
• Inventories
CA 2013 – A Changed Control Landscape
• Threshold Based Compliances
• Significant responsibilities on KMP, Independent Directors
• Focus towards process driven rather than results oriented governance
• Audit Rotation
• Introduction of Internal Audit
• Filing of resolutions
• Fraud reporting by auditors
• Fraud defined
• Internal Financial Controls over Financial Reporting – Auditors and BoD
Auditors Report Contents Old Law
Qualification, reservation or adverse remark on maintenance of accounts
Not in the Old Act
Adequacy and operating effectiveness of internal financial controls
Not in the Old Act, not applicable for financial statements for year ended March 31, 2015
Other matters including 1. Disclosure of impact of pending litigations on the
financial position.2. Creation of provisions on foreseeable material
losses on long term contracts.3. Delay in transferring amounts such as the Investor
Education and the protection Fund4. CARO ( notified recently )
Not in the old Act, Rule 11 of Companies (Audit and Auditors Rules 2014)
CARO modified in the latest Act
Directors Responsibility Statement
Report All Companies
Listed Cos New / Old
Directors had prepared accounts on a going concern basis Yes Yes Old 217(2AA)
Applicable accounting standards have been followed and material departuresdisclosed
Yes Yes Old 217(2AA)
Selection and application of accounting policies to ensure prudence, true andfair
Yes Yes Old 217(2AA)
Adequate accounting records have been maintained for safeguarding assetsand preventing frauds and irregularities
Yes Yes Old 217(2AA)
Proper systems to ensure compliance with the provisions of applicable laws andsuch systems were adequate and operating effectively
Yes Yes New
Directors have laid down internal financial controls which are adequate andoperating effectively
Not Applicable
Yes New
The Onion Gets More intense
Self-Assessment
Quality Assurance Reviews
Internal AuditPeer Reviews
Management Oversight
Statutory Audit / Regulators
RISK
Definition • Probability of
• An Uncertainty
• Resulting in
• A Loss
Characteristics • Cannot be eliminated
• Strategic and operational
• External / Internal
• Can only be managed / reduced
• Materiality of the risk is important
Risk caused by Possibility of Fraud is Fraud Risk
Risk management
OperationalStrategic
ICFR Others
ERM
Risk management functions will play a key role in organisations
Key terms
Risk and Controls
OperationsRisk
Financial Risk
Compliance Risk
Understand Business Processes
Process Flows components
Control Design
Operating Effectivenes
s
Terms
Internal Audit
Business Process
Mapping
Preventive Detective Corrective
Manual and
Automated Controls
Orgnstructure/
DOA
Standard operating Procedure
s
• Risk
• Risk families
• Controls
• Control families
• IT environment
Risk Families
RISKFAMILIES
1. Strategic / Franchise
Risk2.
Legal/Compliance
Risk
3. Financial Reporting
Risk
4. Staffing/Organization
Risk
5. Credit Risk6.
Insurance Risk
7.Sovereign
Risk/ Cross Border Risk
8.Market
Risk
9.Operationa
l Risk
10.System/Technology
Risk
Frauds Risks are Agnostic Risks and are embedded in all Risk
Families
Elements of Internal Control
Co
ntr
ol E
nvi
ron
me
nt
Monitoring
Information System and Communication
Control Activities
Risk Assessment
• Paragraph 4(c) of the Standard on Auditing (SA) 315
“Identifying and Assessing the Risks of Material
Misstatement Through Understanding the Entity and
Its Environment” defines the term ‘internal control’
as “the process designed, implemented and
maintained by those charged with governance,
management and other personnel to provide
reasonable assurance about the achievement of an
entity’s objectives with regard to reliability of
financial reporting, effectiveness and efficiency of
operations, safeguarding of assets, and compliance
with applicable laws and regulations. The term
“controls” refers to any aspects of one or more of
the components of internal control.”
IFCR
ICFR
134(5) Directors
Report
Rule 8(5)(viii)
Companies Accounts
Rules
143(3)
Auditors Report
The term “internal financial controls” has been defined as the means the policies and procedures adopted by the company for ensuring the following :• the orderly and efficient conduct of its business, • including adherence to company’s policies, • the safeguarding of its assets, • the prevention and detection of frauds and errors, • the accuracy and completeness of the accounting
records, and • the timely preparation of reliable financial
information
Methodology
Activities and
ProcessesRisk Families
Control design
Operating Effectiveness
Financial Statement Component
Process
Sub Process
Activity
GL Accounts and disclosures
Risk
Control Available
If yes, description of the control
Type of control
Process Owner
Process operator ( control administrator )
Testing Plan
Testing Document reference
Result
Remediation plan
Final remediation status
Procure to pay
• Examine the present procure to pay environment, understand existing the preventive and detective control framework to mitigate frauds and errors
• Identify potential fraud risk and other risk vulnerabilities through an effective analytics, internal audit and evaluation process
Procure to Pay
The Processes in the Procure to Pay life cycle to ensure existence, appropriateness and commensuration of control design and efficacy of operating effectiveness
Delegation of Authority
Key Aspects For Consideration
Control Ideas Fraud Risk
DOA to be signed and approved by relevant signatories of entity Board and not delegates
Handling of Temporary delegation
Cross functional negotiation team to be constituted with defined value limits and documents to be signed by all parties
Levels of authority to be defined for PO amendments to mandate approval by next higher authority
Delegation of Authority
Key Aspects For Consideration
Control Ideas Fraud Risk
DOA to include relevant clauses in relation to • non splitting of contracts • Maintenance of supporting documentation• Delegate not to be the beneficiary of the transaction authorised by him/herself
DOA to define the following with sample formats• Note for Approval , Contracts , PO, PR, Justification Notes
Approved DOA document exists and IT system DOA should be as approved in the physical DOA approval
Delegation of Authority
Key Aspects For Consideration
Control Ideas Fraud Risk
Temporary delegation of authority to be made to the same level of personnel and signed by HR and Finance heads
Delegation of Authority
Vendor Empanelment
Key Aspects For Consideration
Control Ideas Fraud Risk
Pre – audit and evaluation processes to be implemented for all new vendors & on one time basis for existing vendors and updated in ERP
Supplier application forms should be available, complete in all respects and signed by the vendor authorised signatory prior to finance approval
Empanelment and supplier inclusions to be done with Finance and SCM approvals in writing in all cases
Process to enlist new suppliers and to ensure that new enquiries are duly considered by the entity
Vendor Empanelment
Key Aspects For Consideration
Control Ideas Fraud Risk
Process to be defined to block / black list suppliers to ensure that business cannot be transacted with such suppliers
Accuracy of vendor master data with reference to base documents provided to be ensured with appropriate offline maker checker controls
Related Party Transaction disclosures at the time of empanelment and strict covenants
Vendor Empanelment
Master Data
Key Aspects For Consideration
Control Ideas Fraud Risk
Supplier categories such as Sole suppliers, Approved repairers, Preferred Suppliers etc and buying type to be documented to enable user to select right type at the time of raising PO
Master Data Completeness to be ensured in all cases
Active vendor list to be maintained in IT system & Duplicate and Related vendors to be eliminated / flagged. Offline list of other vendors may be maintained to ensure that alternate suppliers may be available for sourcing
All masters to be handled by Master Data team and not by user departments ( creations and modifications)
Master Data
Key Aspects For Consideration
Control Ideas Fraud Risk
Coding of inventory
PO types to be maintained in IT system as separate series for ( Material, Service, Inter co, Subcontracting, Transfers ). Capex to be added
UOM’s to be predominantly in units or tonnage and be consistent across items of similar type. For instance, all drums should be classified as drums and not as drums or kg
Audit logs of all changes to master data and non variable terms of PO’s to be enabled as a report
Inactive codes to be blocked
Master Data
Contract Formats
Key Aspects For Consideration
Control Ideas Fraud Risk
Terms and Conditions ( General ) and specific long form Contract formats not cleared by legal team
There are no clear definitions on what trade arrangements can be formalised a Purchase Orders and those which need unique contract terms and conditions.
Repository of contracts to be enabled in ERP as Contract Register to ensure better controls over tracking of renewals as well as to enable sub-PO releases
Terms and Conditions not part of PO as acknowledged by vendor. No acknowledgements are insisted upon
Contract Formats
Key Aspects For Consideration
Control Ideas Fraud Risk
General Terms and conditions do not specify arbitration clause / jurisdiction are in case of dispute.
Credit period as per General Terms and Conditions is specified as 45 days and needs to be consistent with actual credit periods as granted
Terms and Conditions do not provide clear details of policies to be complied ( version and date ).
Contract Formats
Key Aspects For Consideration
Control Ideas Fraud Risk
Usage of vendor advised formats. Such cases need to be specifically vetted by legal
Clauses reflecting less favourable terms ( eg. termination ) than Company standard format not to be agreed without specific highlight of the same to the authorised signatory
Items not covered in service contracts should not be sourced from the same vendor without competitive sourcing only on the reason that there is a contract with the vendor
Contract Formats
PR
Key Aspects For Consideration
Control Ideas Fraud Risk
Requisition justification and approvals to be filed along with PR’s with signature of supervisor for approval of the PR
PR’s ( same date – same suggested vendor ) split where such splits result in approvals being obtained from a lower threshold signatory to be reviewed
Pending Purchase Requisitions to be reviewed and actioned on a timely basis
Purchase Requisitions
Key Aspects For Consideration
Control Ideas Fraud Risk
User involvement in suggestion of vendor to be used to be minimised progressively by maintaining a robust procurement database in ERP with vendors stratification to appropriate product groups
Requisitions raised and forwarded to the Procurement team to indicate M / Sole supplier etcto enable further negotiations for non stock items and cases where user recommended suppliers are only preferred without multiple quotes, such PR’s should be approved in writing by the HOD
PR in the event of emergencies to be reviewed
Purchase Requisitions
Quote to Award
Key Aspects For Consideration
Control Ideas Fraud Risk
Request For quotes to be maintained properly and filed along with PO’s. RFQ formats and Comparative Statement of Quotes to be uniformly implemented and archived by enabling ERP functionality (*)
Competitive sourcing to be waived for certain categories of purchase transactions only based on robust approvals and defined contracts ( eg. Sole supplier, M etc )
PO creator and Approving manager should ensure that all relevant parties have been considered in the RFQ process and previously applied rates are reviewed
Orders to be placed only on the basis of recent quotes and within the quote validity period
Quote to Award
Key Aspects For Consideration
Control Ideas Fraud Risk
Comparative Statement of Quotes to be prepared for all PO’s > certain value
All cases of quote waiver to be evidenced by a Justification Note and approved by HOF for PO’s exceeding a certain value threshold
Vendor quotes should be complete for Item , Price, taxes, Lead time, delivery location, validity period in all cases
PO’s raised after receipt of material / services to be reviewed on a periodic basis
Non L1 contracts to be backed by Justification Notes in all cases and should be approved by higher authority
Quote to Award
Key Aspects For Consideration
Control Ideas Fraud Risk
Tender process not followed for certain contracts
Tenders received by E Mail to the assigned ID can be opened and printed before tender closing date
Invitation to Tender not sent to all approved list of recommended vendors
Tenders not addressed to Tender Committee.
Quote to Award – Tendering Process
PROCURE TO PAY
Key Aspects For Consideration
Control Ideas Fraud Risk
Tender receipt date not stamped on tender documents received
Tender opening date and time to be stamped on ALL pages of the tender.
Persons opening the tender to sign on all pages containing price information. Not done in many cases
Certain tender documents not available on record
Identical Quote formats to be reviewed
Quotes in incomplete formats. Eg. No address, no phone number, no mail id, no web site, no TIN number, no Service tax reference
Quote to Award – Tendering Process
PO creation
PROCURE TO PAY
Key Aspects For Consideration
Control Ideas Fraud Risk
PO creation and Authorisation by the same person to be avoided
PO splits for same date / same vendor transaction resulting in approvals being diluted to be reviewed
Multiple PO’s to be avoided by configuring structured scheduling agreements which can simplify PO generation for materials & services . Rate contracts with M’s and special prices to be finalised at the earliest
PO acknowledgements from vendor to be enabled
Open PO’s closure protocols to be enabled
Purchase Order Creation and Approvals
PROCURE TO PAY
Key Aspects For Consideration
Control Ideas Fraud Risk
Amendments regardless of nature or value to be approved by next higher level of authority
Supporting documents for the amendment to be filed along with the PO amendment print out
Amendment reports to be reviewed for large / unusual / exceptional transactions
All material / service receipts to be only after creation of PO’s
Purchase Order Amendments
Material Receipt Certification
PROCURE TO PAY
Key Aspects For Consideration
Control Ideas Fraud Risk
Quality flagging at material code level to be done
Quality policy / protocols for items to be defined – Visual Inspection or Detailed inspections.
QC parameters to be defined for major items to be decided
Separate team to be enabled for QC approval
Items for which no QC required to be decided based on supplier review ( ISO certifications )
Weighment slips for bulk materials not signed by person conducting the weighment at the weighbridge and the driver of the vehicle
Material Receipt Certification
PROCURE TO PAY
Control Ideas Fraud Risk
Delays in GRN to be avoided and tracked
Delay in GRN for direct receipt of materials by users not tracked for prompt closure ( eg. Cement )
Duplicate supplier accounts to be reviewed
Key Aspects For Consideration Material Receipt Certification
Bill receipt and certification
PROCURE TO PAY
Key Aspects For Consideration
Control Ideas Fraud Risk
Bill should not be addressed to user and Bill to be received at Vendor help desk
Liability to be accounted after review
All invoices to contain a serial number and in original
Duplication to be checked for
Payment based on GRN / Service receipt certification
Payment directly to vendor
Bill receipt and Certification